[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 1350 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  1st Session
                                S. 1350

 To require the Secretary of Homeland Security to establish a national 
             risk management cycle, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 22, 2021

 Ms. Hassan (for herself and Mr. Sasse) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To require the Secretary of Homeland Security to establish a national 
             risk management cycle, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``National Risk Management Act of 
2021''.

SEC. 2. NATIONAL RISK MANAGEMENT CYCLE.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.), is amended by adding at the end the 
following:

``SEC. 2218. NATIONAL RISK MANAGEMENT CYCLE.

    ``(a) Definitions.--In this section:
            ``(1) Critical infrastructure.--The term `critical 
        infrastructure' has the meaning given the term in section 
        1016(e) of the Critical Infrastructures Protection Act of 2001 
        (42 U.S.C. 5195c(e)).
            ``(2) National critical functions.--The term `national 
        critical functions' means the functions of government and the 
        private sector so vital to the United States that their 
        disruption, corruption, or dysfunction would have a 
        debilitating effect on security, national economic security, 
        national public health or safety, or any combination thereof.
    ``(b) National Risk Management Cycle.--
            ``(1) Risk identification and assessment.--
                    ``(A) In general.--The Secretary, acting through 
                the Director, shall establish a process by which to 
                identify, assess, and prioritize risks to critical 
                infrastructure, considering both cyber and physical 
                threats, vulnerabilities, and consequences.
                    ``(B) Consultation.--In establishing the process 
                required under subparagraph (A), the Secretary shall 
                consult with Sector Risk Management Agencies, critical 
                infrastructure owners and operators, and the National 
                Cyber Director.
                    ``(C) Publication.--Not later than 180 days after 
                the date of enactment of this section, the Secretary 
                shall publish in the Federal Register procedures for 
                the process established under subparagraph (A).
                    ``(D) Report.--The Secretary shall submit to the 
                President, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                report on the risks identified by the process 
                established under subparagraph (A)--
                            ``(i) not later than 1 year after the date 
                        of enactment of this section; and
                            ``(ii) not later than 1 year after the date 
                        on which the Secretary submits a periodic 
                        evaluation described in section 9002(b)(2) of 
                        title XC of division H of the William M. (Mac) 
                        Thornberry National Defense Authorization Act 
                        for Fiscal Year 2021 (Public Law 116-283).
            ``(2) National critical infrastructure resilience 
        strategy.--
                    ``(A) In general.--Not later than 1 year after the 
                date on which the Secretary delivers each report 
                required under paragraph (1), the President shall 
                deliver to majority and minority leaders of the Senate, 
                the Speaker and minority leader of the House of 
                Representatives, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                national critical infrastructure resilience strategy 
                designed to address the risks identified by the 
                Secretary.
                    ``(B) Elements.--In each strategy delivered under 
                subparagraph (A), the President shall--
                            ``(i) identify, assess, and prioritize 
                        areas of risk to critical infrastructure that 
                        would compromise, disrupt, or impede their 
                        ability to support the national critical 
                        functions of national security, economic 
                        security, or public health and safety;
                            ``(ii) assess the implementation of the 
                        previous national critical infrastructure 
                        resilience strategy, as applicable;
                            ``(iii) identify and outline current and 
                        proposed national-level actions, programs, and 
                        efforts to be taken to address the risks 
                        identified;
                            ``(iv) identify the Federal departments or 
                        agencies responsible for leading each national-
                        level action, program, or effort and the 
                        relevant critical infrastructure sectors for 
                        each;
                            ``(v) outline the budget plan required to 
                        provide sufficient resources to successfully 
                        execute the full range of activities proposed 
                        or described by the strategy; and
                            ``(vi) request any additional authorities 
                        or resources necessary to successfully execute 
                        the strategy.
                    ``(C) Form.--Each strategy delivered under 
                subparagraph (A) shall be unclassified, but may contain 
                a classified annex.
            ``(3) Congressional briefing.--Not later than 1 year after 
        the date on which the President delivers a strategy under this 
        section, and every year thereafter, the Secretary, in 
        coordination with Sector Risk Management Agencies, shall brief 
        the appropriate committees of Congress on the national risk 
        management cycle activities undertaken pursuant to the 
        strategy.''.
    (b) Technical and Conforming Amendment.--The table of contents in 
section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 
116 Stat. 2135) is amended by inserting after the item relating to 
section 2217 the following:

``Sec. 2218. National risk management cycle.''.
                                 <all>